DoubleAgent: Taking Full Control Over Your Antivirus

See how Cybellum uses dynamic analysis to detect ulnerabilities in C/C++ closed binaries. Get a free demo.

OverviewOur research team has uncovered a new Zero-Day attack for taking full control over major antiviruses and next-generation antiviruses. Instead of hiding and running away from the antivirus, attackers can now directly assault and hijack control over the antivirus. The attack begins when the attacker injects code into the antivirus by exploiting a new Zero-Day vulnerability. Once inside, the attacker can fully control the antivirus. We named this attack DoubleAgent, as it turns your antivirus security agent into a malicious agent, giving an illusion that the antivirus protects you while actually it is abused in order to attack you.DoubleAgent exploits a 15 year old vulnerability which works on all versions of Microsoft Windows, starting from Windows XP right up to the latest release of Windows 10. The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organization that uses an antivirus.Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.

The attack has been tested and proven on all the major antiviruses as well as of all versions of Microsoft Windows. The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch.

How Does DoubleAgent Work?DoubleAgent exploits a legitimate tool of Windows called ‘Microsoft Application Verifier’ which is a tool included in all versions of Microsoft Windows and is used as a runtime verification tool in order to discover and fix bugs in applications. Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application.Application Verifier was created in order to strengthen application security by discovering and fixing bugs, and ironically DoubleAgent uses this feature in order to perform malicious operations. For more information and technology deep dive, please see our technical blog. Vulnerable AntivirusesThe list of vendors that have been tested and found to be vulnerable to DoubleAgent.The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

Antivirus Attack VectorsDuring a normal cyber attack, the attacker would invest a lot of effort hiding and running away from the antivirus. By using DoubleAgent, the attack can take full control over the antivirus and do as he wish without the fear of being caught or blocked. He could:

Turn the Antivirus into a malware – Perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.

Modify the Antivirus internal behaviour – Changing the antivirus whitelists/blacklists, internal logic and even installing backdoors. The antivirus would still appear to work normally but would actually be completely useless, giving the attacker the ability to execute malware that would normally be blocked without any interference.

Abusing the Antivirus trusted nature – The antivirus is considered one of the most trusted entities in an organization. The attacker can use the antivirus to perform operations that would normally raise “red flags” like exfiltrating data, C&C communication, lateral movement, stealing and decrypting sensitive data, etc. All of these operations would seem legit because they are done by the antivirus.

Destroy the Machine – The antivirus has complete power over the machine, which can allow it to easily encrypt all your files or even format your hard drives.

Denial of Service – An antivirus software is responsible for signing software to act maliciously based on a set of heuristic rules. This means that the attacker can sign a totally legit and critical software such as browser applications, document viewers, or even some key components that are deep within the operating system. Once the signature has spread across the organization, it would then cause a total denial of services for the entire company. Once an antivirus decides a file is malicious, it would create a signature for it and share it globally around the world. Because the attacker controls the antivirus, he may sign totally legit and critical applications such as browsers, document viewers, or even some key components that are deep within the operating system. Once the new signature has spread across the organization, all the other instances of the antivirus would remove/delete the critical application causing total denial of services for the entire organization.

Additional Attack VectorsGeneric Persistency (auto-run) TechniquePersistence is any action that gives an attacker a persistent presence on that system. Attackers will often need to maintain access to systems through interruptions such as system restarts.

Today there are just a few known persistence mechanisms. AVs and NGAV, are constantly monitoring for these techniques and trying to detect malicious process that trying to use any of those techniques. DoubleAgent can continue injecting code even after reboot making it a perfect persistency technique to “survive” reboots-updates-reinstalls-patches-etc.Once a persistence technique is well-known, security products update their signatures accordingly. So once the persistence is known, it can be detected and mitigated by the security products.Being a new persistence technique, DoubleAgent bypasses AV, NGAV and other endpoint solutions, and giving an attacker ability to perform his attack undetected with no time limit.

Generic Code Injection Technique This technique can also be used as a new way of injecting code into any application and as a result, be able to bypass current security solutions that attempt to prevent such injections and in the process, adding malicious code into legitimate processes. Under the disguise of the legal operations, an attacker is then able to steal data, encrypt data or even take part in other activities without interruptions since no security solution is capable of detecting this kind of code injection. As such, the attacker can be able to feed malicious code into your system and by doing so, be in a position to steal your information from under your nose without any detection by your security products. Since the DoubleAgent technique uses legitimate operating system mechanism to inject its code, it can’t be patched and this injection technique will live forever. So there is no notion of a patch.

MitigationMicrosoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago. It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s legitimate part of the OS.

SummaryAttackers are always evolving and finding new Zero-Day attacks. We need to make more efforts to detect and prevent these attacks, and stop blindly trusting traditional security solutions, that as shown here, are not only ineffective against Zero-Days but also open new opportunities for the attacker to create complicated and deadly attacks.

Appendix A – Taking Full Control Over Norton Antivirus POCWe’ve created a full proof-of-concept demonstration taking over the latest version of Symantec Norton antivirus, in that demo we’ve injected a code into Norton, a mission that itself considered very difficult as Norton, similar to any other antivirus makes tons of checking and use many self-protection techniques to make sure it won’t happen, the code changes all Norton’s user interface and give the attacker an ability to perform malicious operations under Norton’s process, such as converting it to a ransomware and encrypting files. The full demonstration can be found in this video. Here is the original window of the antivirus, that shows that everything is protected:

And below is the modified version, after DoubleAgent was injected into it and made its malicious modifications:

*Update– To clarify, of course we haven’t discovered the existence of Application Verifier, it’s part of the OS so users can use it. Application Verifier as a hooking technique was discussed long ago as early as 2011. What we discovered and focused about was that AVRF can be used for: 1. Generic code injection technique that is undetected by AV. 2. Generic persistence technique that is also undetected by AV. 3. And most importantly, injecting code directly into the AV while bypassing its self-protection techniques. None of these points where discussed in previous articles. We believe these points are a significant tool that can be used by attackers to help bypass and abuse antivirus software.– You do need a privileged account to run DoubleAgent as DoubleAgent is designed as a post-breach attack. Even after a computer is breached, and attacker still needs to hide from the AV, spread its code, maintain persistence and find ways to exfiltratestealencrypt data without being caught. DoubleAgent gives the attacker the ability to control the AV and perform all the operations above without being detected, while keeping the illusion that the AV is working normally.– ESET AV do implement “Protected Processes”, however, not over all process so they are still vulnerable.– Trend Micro just released a hotfix for the vulnerability, you can find the official hotfix here.

*Disclaimer: These materials are for educational and research purposes only. Do not attempt to violate the law with anything contained here. Neither Cybellum Technologies LTD, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for such actions. Neither the creator nor blogger is responsible for the comments posted on this website. We do NOT promote Hacking! We publish this material so it can be useful to Protect yourself. The technologies discussed in this publication, the limitations on these technologies that the technology and content owners seek to impose, and the laws actually limiting the use of these technologies are constantly changing. Thus, some of the hacks described in this publication may not work, may cause unintended harm to equipment or systems on which they are used, or may be inconsistent with applicable law or user agreements. Your use of these projects is at your own risk, and Cybellum Technologies LTD. disclaims responsibility for any damage or expense resulting from their use. In any event, you should take care that your use of these projects does not violate any applicable laws, including copyright laws.

BE THE FIRST TO KNOW

Subscribe to get our vulnerability analysis posts, new blog content and very infrequent special announcements. We won’t spam you, and will never sell your data.

Success!

72 Comments

The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.

This statement is not probably true according to CVE-2017-5567 it works only on Avast 12.3 and older, Avast is now live on 17.2 and beta testing version 17.3.
So where the truth is?
Cheers

Shane
on March 23, 2017 at 1:45 pm

They just released 17.2 a short time ago. I’m sure this testing was done further back when it was discovered. Only time will tell if new version is affected. Try it out.

Tunde Ogunkoya
on March 22, 2017 at 12:08 pm

Interesting …The days of seeing an antivirus program as a panacea are long gone!

tree mender
on March 23, 2017 at 6:20 am

Its a catastrophic flaw in Windows itself not anti-virus programs. An anti-virus is only as good as the OS it is trying to protect

Dan
on March 26, 2017 at 11:24 pm

So true! Cheers!

Zothan
on March 28, 2017 at 5:30 pm

Perhaps microsoft will patch the vulnerability in the next major release (creators update)

Eylon
on March 22, 2017 at 3:57 pm

Kings!

bob
on March 22, 2017 at 4:59 pm

Has anyone tried whitelisting software as a defense?

danag
on March 22, 2017 at 8:44 pm

“Currently no antivirus (except Windows Defender) has implemented this design.”
What the liars can do to arise in av world…

cybellum
on March 23, 2017 at 8:01 pm

This vulnerability has been tested and worked on all the listed vendors, none of them implemented PP.
After publication, ESET enlightened us that one of their processes indeed implemented PP (ekrn.exe) and it was noted in our updated. Note that ESET still had more than a dozen auxiliary processes that didn’t implement PP and were vulnerable to DoubleAgent.

If you have information about other vendors that did implement PP, please let us know and we would be happy to issue an update.

John
on March 23, 2017 at 3:23 am

why I’ve got an error 0xc0000140 when I try to inject dll

Michael
on March 26, 2017 at 4:34 pm

We need a bit more details, contact us at info@cybellum.com and we would try to help.﻿

Hakim KT
on March 23, 2017 at 4:45 am

Will it work on other endpoint protection methods i.e. application whitelisting, PA traps etc.

Ronen lago
on March 23, 2017 at 4:51 am

Great work guys !!!

giorgio
on March 23, 2017 at 5:52 pm

good excellent copy….

Daniel Mcintyre
on March 23, 2017 at 8:29 pm

You only list av that had been tested and is vulnerable, does this mean all tested av has been vulnerable? If not, do you have a list that are not vulnerable?

Michael
on March 26, 2017 at 4:37 pm

All the AV vendors we tested were found vulnerable and are listed in the list above. More vendors, that were not tested by us, may be vulnerable too.

Sean Cassidy
on March 23, 2017 at 10:04 pm

Can you respond to claims that this is research is actually duplicated from Alex Ionescu’s 2015 RECon talk?

Michael
on March 28, 2017 at 5:26 pm

Alex talked about using Application Verifier as a hooking technique, we’re talking about abusing it to attack antiviruses. Checkout the update we issued to this post, I hope it clarifies the differentiation.

jonhn
on March 23, 2017 at 10:16 pm

wtf my computer is not protection

otep
on March 24, 2017 at 2:08 am

test file anyone please?

Peds
on March 24, 2017 at 5:09 am

In case some of you have heard the “direct access” argument:
Saying that malware isn’t dangerous because it requires direct access, is like saying, malware isn’t dangerous because it needs a computer to execute it.
Having said that, there is no point in panic. Keep your stuff up to date (many AVs have released patches since the time of the release this article).

Makes lot of sense. Computer world is full of viruses, still its use is becoming more indispensable. Just like pharmaceuticals, this Anti-virus industry is too unique to eliminate totally. All is well. Regards

jkohut
on March 24, 2017 at 12:11 pm

Did you report these new finding to Microsoft and then wait at least 30 days before announcing ? Seems like that would have been the appropriate thing to do.

Michael
on March 26, 2017 at 4:42 pm

We reported to Microsoft more than 4 months ago (11/11/16). We also reported to every AV vendor more than 90 days ago.

Van
on March 24, 2017 at 2:24 pm

“Build the main solution twice, once in x86 and once in x64. This step is crucial as it creates both x86 and x64 versions of DoubleAgentDll.dll which is required in order to perform a successful installation.” How is that done. Any help there?

Michael
on March 26, 2017 at 4:43 pm

Build the solution once for x86 platform, then change the build platform to x64 (http://imgur.com/mOjc5W3/) and build it again. This would create both x86 and x64 versions of DoubleAgentDll.dll which is required in order to perform a successful installation.﻿

Admiring the time and energy you put into your blog and in depth information you present. It’s awesome to come across a blog every once in a while that isn’t the same old rehashed material. Fantastic read! I’ve saved your site and I’m including your RSS feeds to my Google account.

Ryan
on March 30, 2017 at 7:40 pm

Hi, i see Emsisoft is not listed, can you tell me if that vendor was tested or not.

I wanted to write a comment in order to thank you for those fabulous guidelines you are giving out at this website. My extensive internet research has now been recognized with pleasant information to share with my contacts. I ‘d tell you that many of us visitors are really fortunate to dwell in a fine website with very many wonderful professionals with great pointers. I feel pretty grateful to have seen the web site and look forward to really more awesome times reading here. Thanks a lot again for all the details.

An fascinating dialogue is worth comment. I feel that you should write extra on this matter, it may not be a taboo subject but usually individuals are not sufficient to talk on such topics. To the next. Cheers

Howdy! This post couldn’t be written any better!
Looking through this article reminds me of my previous roommate!
He always kept preaching about this. I am going to send this article
to him. Pretty sure he’ll have a good read. Thank you for sharing!

It’s appropriate time to make some plans for the future and
it is time to be happy. I have read this post and
if I could I wish to suggest you some interesting
things or suggestions. Perhaps you could write next articles referring to
this article. I want to read even more things about
it!

I truly love your website.. Very nice colors & theme.
Did you create this website yourself? Please reply back as
I’m hoping to create my very own blog and would love to
find out where you got this from or what the theme
is called. Appreciate it!

I haven’t checked in here for some time since I thought it was getting boring, but the last few posts are good quality so I guess I will add you back to my everyday bloglist. You deserve it my friend 🙂

A lot of of the things you state happens to be astonishingly accurate and that makes me wonder why I had not looked at this in this light previously. This particular article truly did turn the light on for me personally as far as this specific subject matter goes. Nonetheless there is just one issue I am not too comfortable with and while I attempt to reconcile that with the actual core idea of the issue, permit me observe what the rest of the subscribers have to point out.Very well done.

I would like to thank you for the efforts you’ve put in writing this blog. I am hoping the same high-grade web site post from you in the upcoming also. In fact your creative writing skills has encouraged me to get my own site now. Actually the blogging is spreading its wings fast. Your write up is a great example of it.

Alice
on April 27, 2017 at 10:15 am

Hello, Thanks for your sharing.
I have downloaded the project from github, but I need the code of dll which attacks to norton anti-virus (as shown in youtube video).
Can I have the code?